Q. What is a read-only domain controller (RODC)?
March 23, 2008
A. An RODC is a new domain controller (DC) mode in Windows Server 2008. It lets you store an Active Directory (AD) domain database read-only copy on the DC, but it has much more functionality than just a database read-only copy. The main features of an RODC are as follows:
A read-only AD Domain Services (AD DS) database--Applications that need only database read access can use the RODC; however, any database changes must be made to a read-writable DC (RWDC), then replicated back to the RODC.
Unidirectional replication--The RODC can't spread misinformation to the rest of the domain, even if a change is made on the RODC. This reduces the risk of a system-wide assault and reduces the complexity of the replication structure.
Filtered attribute set configuration--A filtered attribute set isn't replicated to any RODC in the forest. If an RODC is compromised and the set modified, a Server 2008 RWDC won't replicate the values. A Windows Server 2003 DC would. If possible, it’s best to have your forest function level set as Server 2008 so that Server 2003 servers won't be allowed in the forest in which they could compromise the data. It’s also important to note that you can't add system-critical attributes to the RODC filtered attribute set
Limited credential caching--An RODC doesn't store user or computer credentials (except for the RODC's computer account). When the RODC receives an authentication request, it forwards it to an RWDC. The RODC then requests a copy of the credential so that it can service the request itself in the future. If the password-replication policy allows credential caching, the credential details will be cached and the RODC can service logon requests (until the credentials change).
Separation of administrator capabilities--An RODC can designate users as server administrators without granting any domain or other DC permissions.
Read-only DNS--An RODC DNS doesn't allow client updates, nor does it register name-service resource records.
Two-stage RODC installation--The first installation stage is completed by a credentialed administrator. He or she creates an AD DS account for the RODC, with all the RODC's distributed AD database information, such as its DC account name and its site location. Then, the admin can designate which users or groups can finish the second installation stage, usually completed at the remote location. Stage two installs AD DS on the RODC and attaches the server to its AD DS account.
An RODC can replicate only from a Server 2008 RWDC, so no replication from Windows Server 2003 DCs or other Windows Server 2008 RODCs is possible.
About the Author
You May Also Like